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Abstract 

Concern for privacy when users are surfing on the Web has increased recently. Nowadays, many users are aware that 
when they are accessing Web sites, these Web sites can track them and create profiles on the elements they access, the 
advertisements they see, the different links they visit, from which Web sites they come from and to which sites they 
exit, and so on. In order to maintain user privacy, several techniques, methods and solutions have appeared. In this 
paper we present an analysis of both these solutions and the main tools that are freely distributed or can be used freely 
and that implement some of these techniques and methods to preserve privacy when users and surfing on the Internet. 
This work, unlike previous reviews, shows in a comprehensive way, all the different risks when a user navigates on 
the Web, the different solutions proposed that finally have being implemented and being used to achieve Web privacy 
goal. Thus, users can decide which tools to use when they want navigate privately and what kind of risks they are 
assuming. 
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1. Introduction 

In the last ten years we have assisted to an increas- 
ing interest in the research within the privacy technol- 
ogy field. Indeed, during these years we have observed 
the development on privacy solutions for different pur- 
poses: anonymous communications, identity manage- 
ment, languages for expressing and negotiating privacy 
policies, privacy preserving data publishing and min- 
ing, e-voting, location-based services, etc (Carroll and 
Grosu, 2009; Danezis and Giirses, 2010; Karopoulos 
et al., 2010). This interest within research community 
is also shared by end users (Gross and Rosson, 2007). 

Within anonymous communications end users are in- 
terested in preserving their privacy when they surf on 
the Web since, currently, the access to the Web is the 
main use of the Internet. In fact, more and more they 
access more resources and, at the same time, Web sites 
want to know information on them since Web can be an 
important source of profit. 

When users are surfing on the Web they are interested 
in protecting their Personally Identifiable Information 
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(PII) from being observable. Thus, for some particular 
accesses, they want to be anonymous and avoid being 
tracked. They also want that their browsing behaviour 
and the sites they interact with cannot be known by ob- 
servers (Chen and Fu, 2008), that is, they want to pre- 
vent the creation of profiles on them. 

As users are more and more concerned on their pri- 
vacy (Gross and Rosson, 2007) and want to navigate 
privately for many different intentions: some for legiti- 
mate purposes and some other for criminal, disruptive, 
or socially unacceptable purposes. 

As for legitimate purposes we can mention: privacy 
and freedom of speech (through Webs, blogs or on- 
line social networks), anti-censhorship, anonymous tips 
for law enforcement, surveys (evaluation and feedback), 
gift shopping, obtain commercial information (query 
prices), protection of children privacy, query in search 
engines, access to pornography and the prevention or- 
ganization's Web filters from monitoring or limitation 
of traffic bandwith (e.g., for P2P traffic that is limited 
for ISPs) (CISCO Systems, 2009; Aggarwal et al., 2010; 
Chaabane et al., 2010; Li et al., 201 1). 

On the other hand, as for criminal, disruptive, or so- 
cially unacceptable purposes we point out: spam e-mail, 
piracy, hacking, information and identity theft, cyber- 
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stalking, exposition of an organization to malicious ac- 
tivities, illegal software download, child pornography, 
abuse of organization resources, and even for terrorism 
(CISCO Systems, 2009; Aggarwal et al., 2010; Chaa- 
bane et al., 2010; Li et al., 2011). 

Recently, as a sample of the interest in privacy when 
we surf on the Web, Web browsers such as Mozilla Fire- 
fox, Microsoft Internet Explorer, Google Chrome and 
Safari (from Apple) have included a private browsing 
mode to their user interface that allows users to navigate 
privately. In these browsers, these modes are known 
as Private Browsing, InPrivate, Incognito and private 
browsing, respectively. However, these modes do not 
offer a complete solution to navigate guaranteeing pri- 
vacy. 

The main goals of these private browsing modes are 
two (Aggarwal et al., 2010). First, no to leave trace 
on user computer on the Web sites visited. Second, 
user's activity cannot be linked between the Web sites 
they visit and that the activities carried out in the pri- 
vate mode are not know in the public mode. Thus, these 
modes only offer a partial solution since users might be 
tracked, e.g., from their Internet Protocol (IP) address. 

In this paper our aim is to show the process that users 
follow when they navigate on the Web and, from this 
starting point, to provide a comprehensive explanation 
of how the users can be tracked from the different PII 
can be obtained in this process as well as the different 
solutions and tools existing to cope with these problems. 

Hence, this paper explains that this PII information 
can be obtained from three different conceptual lay- 
ers: TCP/IP level, HTTP level and application level. 
Once we have presented the problems associated to each 
layer, we describe the different mechanisms and tech- 
niques that have been proposed up to date in order to 
avoid that PII can be obtained. 

Although there are an important number of solutions 
to cover privacy in (Web) communications (Linn, 2005; 
Danezis and Diaz, 2008; Edman and Yener, 2009; Behl 
and Lilien, 2009; Danezis and Giirses, 2010; Ren and 
Wu, 2010), it is important to point out that we will only 
center in those solutions and mechanisms that have been 
implemented and are currently being used. 

Finally, we analyse the main free tools that we have 
available to preserve privacy when we surf on the Web 
and we indicate the mechanisms they implement and the 
level of privacy protection they offer. 

The rest of this paper is organised as follows. Sec- 
tion 2 describes the process that is followed when we 
access a Web site and the different privacy-related risks 
we are exposed. Section 3 introduces the solutions to 
overcome the risks mentioned and the main tools we 



can use. Once the solutions and tools have been pre- 
sented, in Section 4 we compare these tools and discuss 
on the protection offered. Section 5 compares our work 
with previous works related to the analysis of solutions 
and tools for enhacing privacy in Web communications. 
Finally, Section 6 presents the main conclusions of our 
work and introduces future work. 

2. Web navigation and privacy concerns 

In this section we describe the process that is followed 
when a user requests a Web page. Then, we explain the 
information that can be obtained from a user during this 
process. Thus, we can understand the different privacy- 
related risks when we surf on the Internet. 

2.1. Web page request flow 

Let us suppose a user is interested in accessing the Web 
site of a company X. The process followed is shown in 
Figure 1 . For this purpose, the user launches her pre- 
ferred Web browser and enters the URL of the Web site 
(e.g. http://www.companyx.com). The browser sends a 
request to the Web site by sending a HTTP GET re- 
quest (step 1). As a response to this request, the Web 
server sends a HTTP 200 OK response that contains the 
HTML page requested (step 2). 

The browser processes the HTML page received 
and obtains the different Web objects (images, scripts, 
Flash objects, ActiveX, Java applets, Silverlight objects, 
stylesheets, etc) included in the HTML page down- 
loaded (steps 2. 1 to 2.4). 

Some Web objects are located in the same server we 
have obtained the Web page. Then, the browser re- 
quests these objects to the same server by means of 
HTTP request as previously explained (steps 2.1 and 
2.2). These steps are repeated for each object requested 
to this server. In this case, as a response the Web 
browser instead of receiving a HTML page, it receives 
a Web object. 

Additionally, the HTML page requested by the user 
could contain some elements that the Web site have in- 
cluded and that are located in other Web sites. In this 
case, the browser, for each element, requests to the cor- 
responding Web server the Web object needed. In gen- 
eral, these objects (usually images, pop-ups and flash 
objects) that a Web site includes from other Web sites 
(third party Web sites) are advertisements or Web bugs 
(tiny images of lxl pixels) (Rezgui et al., 2003). 

There are several entities that can play the role of 
third party Web sites such as advertisment servers, mar- 
ket researchers, affiliate marketers, retargeters, third- 
party data collectors, etc (Gulyas et al., 2008; Toubiana 
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Figure 1 : Web page request flow 



et al., 2010; Lambrecht and Tucker, 2011). Thus, steps 
2.3 and 2.4 are executed as many times as objects from 
these parties are placed in the HTML page. 

When all the objects have been downloaded the Web 
browser activity finishes until the user clicks on a new 
link. 

2.2. Privacy concerns 

When we surf on the Web, Web sites collect informa- 
tion about us (usernames, email address, location infor- 
mation, interests, access patterns, navigating behaviour, 
etc) (Linn, 2005; Harding et al., 2007; Jang et al., 2010) 
that allows them to create profiles. Some of these impor- 
tant Web sites that can collect information on users are 
Web search engines from the search queries the users 
send. 

The use of these profiles is twofold. On the one 
hand, they are used to improve the Web site and cre- 
ate customized services in function of user preferences, 
behaviour, and so on that produce a better user experi- 
ence (Harding et al., 2007; CISCO Systems, 2009; Lam- 
brecht and Tucker, 2011). On the other hand, profiles 
are used for making money thanks to marketing: this 
can attract to more advertisers (their campaigns can be 
more effective) and they can share this PII with other 
entities such as partners and affiliates (CISCO Sys- 
tems, 2009; Yan et al., 2009). Namely, this informa- 
tion is used for targeted advertising and dynamic pricing 
(Gulyas et al., 2008). This latter purpose represents a 
user privacy threat when user is not consenting this data 
collection (Rezgui et al., 2003; Harding et al., 2007). In- 
formation collection is a dimension of privacy that aims 
that data are collected only with knowledge and explicit 
consent (Rezgui et al., 2003). 



Next, in this section we analyse the different informa- 
tion that can be used to track users and create profiles 
about them when they are surfing on the Internet. 

Conceptually, a Web user can be tracked using infor- 
mation of three different layers: TCP/IP layer, HTTP 
layer and application layer. 

2.2.1. TCP/IP layer 

HTTP requests are sent through connections that use 
TCP/IP (Transmission Control Protocol/Internet Proto- 
col) protocol (Fielding et al., 1999). In this level, basi- 
cally, the information that can be gathered to track the 
user is the IP address and the port the user is making the 
request. If in the user's organization Network Address 
Translation (NAT) is not used, the IP address identifies 
the particular computer (or even user) is accessing to the 
Web and we can link all transactions performed by this 
user. If NAT is used, only the IP address does not iden- 
tify the user. As mentioned in (Casado and Freedman, 
2007) the use of NAT is reduced and can be detected. 
Furthermore, complementary mechanisms that we ex- 
pose in the following layers could be used. 

IP address also provides domain name, geo-location 
information, identifying ISP, city, country, region, coun- 
try and continent where the request is being made. 
There are many Web sites where we can access with our 
browser and they provide this kind of information, e.g., 
showip (Showip, 2011b). We can also find sites where, 
from our domain name, they can find information on our 
organisation (even the name of the administrator) based 
on the use of Whois, e.g., Smart Whois (AllNetTools, 
201 1) or Ros instrument Whois (Showip, 201 la). 

In this level, the round-trip time of user's connection 
could also identify a user from others (Back et al., 2001; 
Saint- Jean et al., 2007; Hopper et al., 2007; Schlegel and 
Wong, 2009; Hopper et al., 2010). 

The trace at TCP level can reveal, apart from the 
port used, information such as computers involved in 
the communication, uptime, operating system, NAT de- 
tection, and some other properties of the connection that 
are detailed in (Zalewski, 2005, 2006). 

2.2.2. HTTP layer 

HTTP is the protocol that allows us to access Web re- 
sources. It is a stateless protocol that works using the 
pattern request-response. A HTTP request contains the 
URL of the Web page to be accessed. In the HTTP re- 
sponse, the HTML page is received. 

The HTML page received could contain links to addi- 
tional Web resources needed to show correctly the Web 
page. This involves that new HTTP requests are per- 
formed (see Figure 1, steps from 2.1 to 2.4). These Web 
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resources can be images, Flash objects, CSS (Cascading 
Style Sheets), Javascript, VBScript, etc. Usually, these 
kinds of resources are recovered once the Web page is 
received. 

In this level there are two elements that can be used to 
collect PII and track the user: HTTP headers and HTTP 
cookies (also known as Web cookies. For the shake of 
simplicity, hereinafter we will simply reference them as 
cookies). From connection established for the request 
we can obtain the IP and port the user is connecting to 
the server. 

An HTTP resquest/response contains a set of head- 
ers that can compromise user's privacy. These head- 
ers could reveal the following information: user's 
Web browser (User-agent header), language, encod- 
ing and charset preferences {Accept-Language, Accept- 
Encoding, Accept-Charset headers), the URL of the 
Web site the user has visited previously {Referer header) 
and the user's mail address (From header). There are 
several Web sites where we can see the headers our 
browser is being sent in a HTTP request, e.g., (Lang- 
ton, 2011;Gemal, 2011). 

A cookie is a mechanism defined in order to come 
up with state in HTTP (Barth, 201 1), which allows car- 
rying out multistep transactions. Hence, cookies are 
essential for the support of shopping carts, personal- 
ization based on user's preferences, identification of an 
authentication session, automatic login, location mem- 
ory, customer classification, etc (Harding et al., 2007; 
CISCO Systems, 2009; Yue and Wang, 2009). 

Namely, a cookie is a string of text that contains a 
name and its value, an expiration date (established in the 
optional Expire and Max-Age attributes) and the origi- 
nating site (established in the optional Domain and path 
attributes) (Barth, 2011). 

Cookies can be established for the domain the user is 
downloading the Web page (known as first-party cookie, 
in Figure 1 in steps 2.1 and 2.2) or for another different 
domain (known asthird-party cookie in Figure 1 in steps 
2.3 and 2.4). 

A cookie is sent by the Web server in the Set-Cookie 
header and the server can send several cookies by inclu- 
iding in the same response as many Set-Cookie headers 
as cookies to be established. Once the cookie is estab- 
lished, the Web browser will send it each time user ac- 
cesses the Web. The cookie is sent by means of the 
Cookie header. 

Depending on the lifetime of a cookie, they are clas- 
sified as session cookies and persistent cookies. The 
former are those that are erased when the Web browser 
is closed. Thus, this cookie is not stored in the user's 
hard disk, only resides in memory and the risk they pro- 



duce is quite reduced. The latter are stored in hard disk 
and persist even when the Web browser is closed (or un- 
til they expire or user deletes them). For this reason they 
are also named tracking cookies. 

Cookie mechanism has been used broadly to track, 
profile and monitor user's browsing activities (Rezgui 
et al., 2003; Senicar et al., 2003; Linn, 2005; Yue et al., 
2010; Barth, 2011). Moreover, they could be manipu- 
lated or stolen (Yue et al., 2010). 

For tracking purpose, a cookie (or some of them) 
could contain the number of times the user has vis- 
ited the Web and the Web pages you have visited and 
when you have visited them. Even it can store user's 
movement in the Web site. Furthermore, cookies can 
be combined with other information obtained from the 
HTTP headers (e.g. Referer header) and with Web bugs 
(see next section) to obtain more precise information 
on a user. Due to its implications related to privacy, 
even some legislation have appeared in both Europe and 
United States (Miyazaki, 2008). 

In order to see the cookies that are sent and received 
when we access a Web site we can use several tools such 
as (Odvarko, 2011). More information on cookies can 
be found in (Cookies.org, 201 1). 

2.2.3. Application layer 

In this layer we consider a set of technologies that are 
on top of HTML as well as Web applications that do 
not request explicitely personally identifiable informa- 
tion (that is, we do not need to be registered and authen- 
ticated in that applications) since if user is authenticated 
all the information is available. The analysis of privacy 
in this scenario requires the analysis of privacy identity 
solutions, which is out of the scope of this paper. 

Namely, apart from HTML tags, we are referring to 
objects that are embedded in Web pages such as Web 
bugs (Martin et al., 2003), banner ads, pop-up and pop- 
under windows, JavaScript, VBScript, ActiveX, Java 
applets, Flash objects and plugins. Some of these ob- 
jects are active objects whose purpose is to improve in- 
teractivity and the incorporation of multimedia content 
in HTML. Thus, they improve user's experience and en- 
hance user interfaces. Some of these objects, apart from 
being a potencial source of PII leakage, decrease down- 
load performance (e.g. pop-ups, banner ads, etc). 

As for Web applications that do not explicitely collect 
data but could create profiles we refer to Web search 
engines since they can obtain identifying information 
such as user's name, social security name, location, 
user's work, family, interests and future plans (Saint- 
Jean et al., 2007; Castella-Roca et al., 2009; Peddinti 
and Saxena, 2010). 
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A Web bug (also known as Web beacon, lxl gif or 
tracking bug) is an element or object (generally it is 
a transparent GIF) that is embedded in a Web page or 
even in an e-mail (Martin et al., 2003). The purpose of 
including this element is to know whether the user has 
viewed the Web page or e-mail where it has been em- 
bedded. 

In general, Web bugs are used by third parties to mon- 
itor user activity (count unique and repited visitors as 
well as how they have entered the Web site) or to elab- 
orate statistics. Third party entities (advertisers, Dou- 
bleclick, Google analytics, 2mdn.net, etc) can know 
which entity made the request from the Referer HTTP 
header or by using dynamic URLs (Barth, 201 1). In the 
Figure 1 , the obtaining of a Web bug would be depicted 
in steps 2.3 and 2.4. 

Web bugs can also be combined with cookies (third- 
party cookies) in order to know the computer the user 
is accessing (they also use the Referer header in or- 
der to know from which site the user comes from), the 
Web page opened, when the visit started, the number of 
times the user has accessed to that third party Web site 
and from which servers she has accessed (this Web bug 
could be placed in the Web site of different companies) 
(Martin et al., 2003; Harding et al., 2007; Miyazaki, 
2008). Thus, a third party can track a user across mul- 
tiple Web sites and create the profile of that user. This 
technique is each time more used in Web sites during the 
latest years (Miyazaki, 2008). A report on the sites with 
most Web bugs and its tracker coverage can be found in 
(KnowPrivacy, 2011). 

Javascripts, ActiveXs, Java applets, Flash objects and 
plugins can represent a privacy threat since they can be 
used to fingerprint the user's machine and thus, identify 
the user (this could be made even without cookies, al- 
though with its use could provide better results) (Martin 
and Schulman, 2002; Saint- Jean et al., 2007; Eckersley, 
2010). 

Basically, the fingerprint is the identification of a set 
of browser features such as user agent, content-types of 
the HTTP Accept header, screen resolution, timezone, 
brower plugins, plugins versions and MIME types, sys- 
tems fonts and some information provided by some tests 
for cookies (Eckersley, 2010). If this information is dis- 
tintive enough, it allows the identification of a user. 

By means of JavaScript we can obtain different infor- 
mation of the Web page when it is executed in user's 
machine such as Web page information, cookies and 
location bar. This allows that different attacks such as 
cookie stealing, location hijacking, history sniffing and 
behaviour tracking (Jang et al., 2010) can be carried 
out. The user could be fingerprinted even by her typ- 



ing (Chairunnanda et al., 201 1). 

Furthermore, some components such as Flash Ob- 
jects also handle cookies (known as Flash cookies or 
local shared objects) (Krishnamurthy and Wills, 2009) 
that can help to track users and obtain information from 
the user such as computer's configuration or informa- 
tion to provide to the Web site. In BrowserSPY (Mi- 
crosoft Corporation, 201 1) you can check whether your 
Flash is enabled to store cookies. 

As for Web applications that do not use PII and that 
are commonly accessed we can point out Web search 
engines. They can obtain, from the request information 
contained in the previous layers, information such as IP 
and HTTP headers. Web search engines can also carry 
out inference and linkage on query terms, redirects in 
the results provided and Web timing attacks (cache tim- 
ing attacks) to distinguish among users (Jackson et al., 
2006; Saint-Jean et al., 2007). In fact, for some activ- 
ities such as behavioral targeting, the information pro- 
vided by search queries is several times better than in- 
formation provided by the pages that user clicked (Yan 
et al., 2009). 

This information combined with the time of day (as 
well as on-line information) let the Web search engines 
obtain valuable information about the user (user's work, 
interest, future plans, etc) and her activities at a specific 
time (Saint- Jean et al., 2007). 

In (Gemal, 2011) you can find a Web site that shows 
what information can be retrieved from your browser 
based both on the Web objects mentioned in this layer 
as well as in the previous layer. 

3. Solutions and tools for private navigation 

In this section we mention the different solutions that 
have been proposed in order to cope with the privacy 
problems stated for each layer in the previous section. 

Once the solutions have been introduced in Sec- 
tions 3.1, 3.2 and 3.3 we present in Section 3.4 the dif- 
ferent tools that are freely available and that implement 
these solutions. It is important to highlight that in order 
to offer a comprehensive solution to privacy on the Web 
we should combine the use of the solutions presented in 
each level. 

3.1. Privacy solutions for TCP/IP layer 
The solutions that offer privacy at TCP/IP layer are usu- 
ally known as systems or solutions for anonymous com- 
munications. The aim of these solutions is to offer pro- 
tection against traffic analysis since this can be used ei- 
ther to obtain information on identification or for profil- 
ing or for information extraction. 
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An ideal system for anonymous communications 
should be prevent the following types of attacks 
(Berthold et al., 2000; Back et al., 2001; Raymond, 
2001): message coding, timing, message volume, flood- 
ing, intersection, collusion and tagging. 

The most simple solution proposed for this purpose is 
to use encryption by means of SSL/TLS, Virtual Private 
Networks (VPNs) or tcpcrypt (Mazieres et al., 2011). 
However, neither of these solutions prevent that par- 
ties that are exchanging information can be identified. 
Even though the communication is ciphered, the con- 
tent being accessed could be determined from the size 
data exchanged, the time and frecuency of the com- 
munication or statistics of information exchanged (traf- 
fic signatures) (Hintz, 2002; Sun et al., 2002; Bissias 
et al., 2005; Liberatore and Levine, 2006; Danezis and 
Clayton, 2007; Herrmann et al., 2009). Encryption do 
not protect either of privacy compromises that can be 
performed in the Web sites user accesses (Linn, 2005; 
Danezis and Diaz, 2008). 

The level of protection can be increased with the use 
of a Web proxy, which is a (trusted or semi-trusted) en- 
tity that receives user's Web requests and made them on 
behalf of the user. Thus, the Web proxy hides the IP 
information of the user that is originating the request. 
However, the trace of all the traffic that is originated in 
and have as destination the proxy might reveal user's 
identity even SSL/TLS is used (Gabber et al., 1999; 
Danezis and Diaz, 2008; Li et al., 2011). Furthermore, 
the Web proxy knows all the information and can trace 
user's activity (Margasihski and Szczypiorski, 2005). A 
proxy cannot either prevent that the user's Internet Ser- 
vice Provider (ISP) monitors her activities if a SSL/TLS 
connection is not used in the connection with the Web 
proxy. On the other hand, proxy main advantage is that 
it is a low lacenty system (Edman and Yener, 2009). 

In this layer, the best level of protection can be 
achieved by means of solutions that are based on the 
use of chains of specials proxies that send and receive 
information in an encrypted way and that do not know 
the Web server where the information is requested. In 
general, the only information that this kind of interme- 
diary proxies (hereinafter we will name them as anony- 
mous routers independently if the follow the concept 
of Chaum's Mix or onion or garlic routing) knows is 
its precedessor and succesor in the chain. With these 
chains, user's ISP can only see that you are connected 
to an intermediary proxy and the Web sites only see 
that they receive request from these anonymous routers. 
These solutions also offer protection against traffic anal- 
ysis. We can distinguish different kind of solutions 
that follow this approach and that can be classified in 



four main groups (Ren and Wu, 2010): Mixnet-based 
schemes, DC-net systems, network routing-based tech- 
niques and peer-to-peer networks. 

Although there are an important number of proposals 
in each group, see (Danezis et al., 2009; Ren and Wu, 
2010) for more proposed techniques, in the following 
subsections, only the description of the techniques that 
are implemented in the tools commented below is pro- 
vided. 

Our goal is to analyse only those solutions that can be 
used in a practical way for end users (without any spe- 
cial technical knowledge) as a solution for privacy prob- 
lem in the Web environment. As we will see, the pro- 
posals that have a development freely available for Web 
users is quite reduced. Namely, the techniques that we 
describe are: Tor (Dingledine et al., 2004), JAP/JonDo 
(Web Mixes) (Berthold et al., 2001) and I2P (zzz and 
Schimmer, 2009). It is important to point out that these 
solutions need be combined with solutions of other lev- 
els since they only anonymize TCP/IP level. 

Otherwise, the user could be identified by means of 
some of the techniques that we have outlined in the pre- 
vious section and that will be explained in more detail 
in the HTTP or/and application layers. 

Other approach could be not to provide anonymity 
in the transport layer and implement it in the applica- 
tion layers. However, as mentioned by Berthold et al. 
(2000), this approach is less suitable and the privacy 
with solutions at that level could be hardly obtained. 
Therefore, ideally, any privacy solution should be based 
on the provision of privacy at transport level. This also 
has additional advantages (Berthold et al., 2000): the 
imposibility of distinguish between the use of different 
kind of services and the freedom, for the different par- 
ties, to decide whether they want to reveal their identity 
although they use a privacy solution at transport level. 

Next we present a description of the different solu- 
tions that help in providing privacy at the TCP/IP layer. 

3.1.1. Tor 

Tor (Dingledine et al., 2004) is an improvement of the 
onion routing proposal (Goldschlag et al., 1996; Reed 
et al., 1998; Syverson et al., 2001). In fact, it was pre- 
sented as the second generation of onion routing. 

Tor is a distributed overlay network for providing 
anonymous communications. Tor is based on the es- 
tablisment of a virtual circuit using an incremental or 
telescoping path-building unlike onion routing where 
a onion structure is used. Furthermore, Tor provides 
perfect forward secrecy, congestion control, directory 
servers and location-hidden services. 
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The main elements of this proposal are: onion prox- 
ies, onion routers and directories servers. These ele- 
ments are described next. 

An onion proxy is executed in the local machine of 
each user. This proxy is responsible for building cir- 
cuits across the network using the information provided 
by directory servers. The building of the circuit is per- 
formed hop to hop negotiating a symmetric key with 
each onion routing that will be part of the circuit. This 
proxy also handles the requests of the user's applica- 
tions and sends them through the circuits established. 
As interface for applications SOCKS is used and for 
the maintaining of privacy features they propose the fil- 
tering with an application-level proxy such Privoxy or 
Polipo. The information is sent in structures of fixed 
size (512 bytes) named cells. Each cell is ciphered with 
each one of the keys negotiated with the onion routers 
in the building path. For the recipient the traffic seems 
to be originated from the exit onion router. The traffic 
between exit and destination is not ciphered. 

An onion router is a node in the overlay network in 
charge of relaying information from/across other onion 
routers and proxies. Onion routers are connected one 
another and with onion proxies by means of a TLS con- 
nection. 

Finally, directory servers maintain the list of onion 
routers available, the status of network topology and the 
keys and exit policies of each onion router. 

Tor is a low-latency system (Edman and Yener, 2009) 
that guarantees perfect forward secrecy and sender 
anonymity. Moreover, recipient anonimity is guaran- 
teed when location-hidden services are established. 

Currently, Tor is the most used anonymity system (Li 
et al., 2011). Tor is mainly used for HTTP, BitTorrent 
and SSL (Mccoy et al., 2008; Chaabane et al., 2010). 
As for the most Web categories visited are search en- 
gines, pornography and computers and Internet (Chaa- 
bane et al., 2010). An study on the latency of this system 
can be found in (Wendolsky et al., 2007; Fabian et al., 
2010). 

Furthemore, Tor has been defined as the anonymity 
layer in Privacy and Identity Management for Europe 
(PRIME) project (Ardagna et al., 2010), which is an 
European project with the aim of providing a Privacy- 
enhancing Identity Management environment which 
covers both technical and non-technical (legal, social 
and economic) issues. Namely, its aim is to offer real 
communication solutions for users in information soci- 
ety while interact in a safe way and retaining the control 
of their privacy. 

More details and analysis of Tor can be found in 
a wide number of references in the literature since 



this protocol has been deeply analysed (Murdoch and 
Danezis, 2005; Abou-Tair et al., 2009; Danezis et al., 
2009; Behl and Lilien, 2009; Edman and Yener, 2009; 
Chaabane et al., 2010; Fabian et al., 2010; Ren and Wu, 
2010; Mulazzani et al., 2010; Hopper et al., 2010). 

Even it is the largest deployed anonymity network 
(Edman and Yener, 2009), several attacks have been 
found, some of these are due to the fact that Tor is not 
designed to provide security against even passive ob- 
servers of a circuit (Danezis et al., 2009) and it does not 
offer protection at the boundaries of the network (Ser- 
jantov and Sewell, 2003; Murdoch and Zielihski, 2007). 

Murdoch and Danezis (Murdoch and Danezis, 2005) 
have shown as a malicious Tor node can determine the 
nodes of a Tor circuit (timing-based attack). Hopper et 
al (Hopper et al., 2007, 2010) have found out two at- 
tacks. The first attacks allows, by means of a pair of 
colluding Web sites to determine (with high confidence) 
whether two connections that make use of the same Tor 
exit node are using the same virtual circuit. The sec- 
ond allows a corrupt Web site to obtain several bits of 
information of each access the user makes. A more de- 
tailed description of other attacks can be found in (Hop- 
per et al., 2007; Snader and Borisov, 2008; Edman and 
Yener, 2009; Danezis et al., 2009; Hopper et al., 2010). 

3.1.2. Web MIXes/AN.ON project 
Web MIXes (Berthold et al., 2001) is a system de- 
signed to provide anonymous communications for both 
asynchronous and synchronous traffic. This system, 
which was developed in the AN. ON project (Berthold 
et al., 2000; Golembiewski et al., 2003; AN.ON Project, 
201 1), is based on the modification on Chaum Mix con- 
cept (Chaum, 1981). 

This solution is built on four components that are 
used to build an anonymous tunnel (Berthold et al., 
2001; Golembiewski et al., 2003): Java Anon Proxy 
(JAP), MIXes, cache-proxy and Info-service. 

JAP is a program installed on user's computer and is 
used to send anonymous traffic through the MIXes, the 
MIXes are a set of servers that follow the idea of MIX 
server proposed by Chaum, the information on them is 
obtained through the info-service, and finally, cache- 
proxy sends and receives the traffic from the (Web) 
servers. Next, we point out the main features of each 
of these components. 

JAP is a proxy that applications in user's computer 
use to send anonymous traffic. The traffic is sent to the 
MIXes periodically in slices of a fixed size by using an 
adaptive chop-and-slice algorithm. If traffic is not gen- 
erated by applications, then, dummy messages are sent. 
It is important to point out that JAP does not also prevent 
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from leakage of PII in this layer but also performs the 
filtering of elements of upper layers that can comprise 
user's privacy such as cookies, JavaScript, etc. Theses 
issues will be described in more detail below. 

MIXes are based on the idea of Chaum mix cascade 
(change of cryptographic coding, re-order and mix mes- 
sages received and send them in a batch), each message 
goes through all the cascade of mixes in the same or- 
der and they also generate dummy traffic when they do 
not have "real" traffic to send. The traffic in a MIX is 
received from the JAP and the exit point of a MIX is a 
cache-proxy. 

Cache-proxy is a reverse proxy from (Web) servers 
that receives requests from the MIX. It also generates 
dummy traffic when there are no requests. Furthermore, 
we can point out that this proxy returns all the Web page 
requested with the objects that are embedded in it. 

Info-service is in charge of management tasks in the 
system. Namely, it provides information on the MIXes: 
addresses, public keys, availability, the traffic situation 
and the level of anonymity (number of active users in 
the system) (Pfitzmann and Hansen, 2010). 

This solution also defines a ticket-based authentica- 
tion system that prevents flooding attacks. Currently, 
this solution is also known simply as JAP or JonDo. 
This latter name is used for the comercial version pro- 
vided by JonDonym anonymous proxy servers (AN. ON 
Project, 2011). 

More details and analysis of Web MIXes can be 
found in (Danezis et al., 2009; Edman and Yener, 2009; 
Ren and Wu, 2010; Westermann et al., 2010; Wester- 
mann and Kesdogan, 201 1). 

Although this solution in its design proposes the 
sending of dummy traffic, in the implementation is not 
used due to the load that would suppose for the network 
(Edman and Yener, 2009). This fact limitates the level 
of protection offered by the solution. The messages in 
this solution could also be tagged in order to recognize 
them when they are decrypted (Danezis et al., 2009). 

In (Westermann et al., 2010) we can find out two 
main flaws related to the session key used in the mixes, 
which are not checked if they are fresh enough and 
thus a replay attack could be made, and the encryption 
scheme used, which can cause the de-anonimization of 
the users. Other attacks that are based on replay, which 
can disclose some of the visited Webs by the user can 
be found in (Westermann and Kesdogan, 201 1). 

3.1.3. I2P 

I2P (zzz and Schimmer, 2009), which is an evolution 
of Invisible Internet Project, is defined for providing se- 



cure and anonymous communications both the sender 
and the receiver. 

I2P is based on garlic routing instead of onion rout- 
ing. Thus, not only the communication between routers 
is ciphered but also end-to-end communications, allow- 
ing at the same time sending multiple messages in the 
same layer of protection. 

According to I2P terminology we can distinguish 
three main elements: tunnels, routers and network 
database (Kubieziel, 2007; zzz and Schimmer, 2009). 

Tunnels are established in order to send information 
anonymously. In I2P there are different tunnels for in- 
coming and outcoming traffic: inbound and outbound 
tunnels. In order to establish a communication between 
two peers, the creator of the tunnel sends the informa- 
tion by using her outbound tunnel, when the traffic ar- 
rives at its last router in the tunnel (named as outbound 
endpoint), this endpoint sends the information to the in- 
bound tunnel of the receiver. The first element in this 
tunnel is named as inbound gateway as is responsible 
for relay the traffic to the destination. The tunnels are 
built up from peers that are chosen randomly after being 
classified in tiers. The classification is based on capac- 
ity, latency and whether the peers are overloaded. 

Routers are the elements participating in the network 
to relay traffic from senders to the destination. It is im- 
portant to point out that the destination (named Eepsites 
for Web pages) in this solution is always anonymous. 

The network database (netDb) contains the informa- 
tion that allows the location of elements available in the 
network. Namely, this network database manages net- 
work metadata that allows peers to know information 
to send traffic to a router (routerlnfo) as well as how to 
locate a particular destination (leaseSets). 

More details and analysis on I2P can be found 
in (Abou-Tair et al., 2009; zzz and Schimmer, 2009; 
I2P, 2011; Herrmann and Grothoff, 2011; Zantout and 
Haraty, 2011). Although this system offers protection 
against a number of attacks such as timing attacks, in- 
tersection attacks, taggin attacks, sybil attacks, etc, it 
presents some possible vulnerabilities as for partition- 
ing attacks and intersection attacks (Zantout and Haraty, 
2011), which could reveal sender and receiver identi- 
ties or allow the trace of the message. Herrmann and 
Grothoff (201 1) shows and attack based on taking over 
the fast tier in order to identify the peer hosting an Eep- 
site. 

3.2. Privacy solutions for HTTP layer 

In the HTTP level, there are two main elements to take 
into account in order to protect user's privacy: HTTP 
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headers and cookies. The solutions considered to over- 
come these problems are: the filtering of headers that 
can reveal (or induct) some PII, and the filtering, block- 
ing or limitation on the use of cookies. 

For the filtering of HTTP headers, there are two ap- 
proaches. On the one hand, the installation of Web 
browser components/plug-ins or local proxies in user's 
computer. On the other hand, the use of anonymous 
Web proxies or anonymizers that perform this task. The 
functions of the elements of each approach are com- 
mented below. 

As for cookies, there are several options to prevent 
they can be used to track user's activity. First, dis- 
abling them in the Web browser. However, this op- 
tion is not suitable because can cause usability problems 
since many Web sites, for some transactions (shopping 
carts, payment transactions, etc), that use them. Second, 
deleting manually cookies at the end of each browser 
session (Harding et al., 2007). Third, the use of tools 
or plug-ins for the management of cookies (Shankar 
and Karlof, 2006; Yue et al., 2010). Four, the use of 
anonymous Web proxies (on the user's computer or in 
a server). Finally, private browsing mode implemented 
by Web browsers. The different elements used in these 
options are commented below. 

Next, we provide a description of the different solu- 
tions that help in providing privacy at HTTP layer. 

3.2.1. Cookie manager 

A cookie manager is a tool that allows the management 
of cookies: view, edit, establish, filtering options, delete 
them, etc. Generally, many of these functions are in- 
cluded as part of the functionality of the Web browsers. 

In (Cookies.org, 2011) you can find information on 
how to manage them in the different browsers. How- 
ever, in many cases, the functionality offered by Web 
browsers is quite limited and the user can improve this 
functionality by installing add-ons or extensions for the 
Web browser that complements its functionality. 

With this kind of tool the user could limit the number 
of cookies accepted and remove or filter those that could 
be used to track the user. 

3.2.2. HTTP filter 

An HTTP filter is in charge of modifying the HTTP re- 
quest the Web brower sends to the Web server and erases 
or modifies those headers that can reveal PII (user's 
agent, referrer, etc). 

For those cases that headers cannot be removed, 
the use of generic values that cannot fingerprint the 
user (Eckersley, 2010) is proposed, e.g., the Accept- 
Language header is used to indicate the language the 



user's accepts, if the language is from a very particu- 
lar region, the user could be identified. Thus, for this 
header the proposal is to indicate English as language. 
With this configuration is more difficult to induct infor- 
mation from the user who is making the request since 
there are many users who work with that language in 
her browser. 

The same situation could happen with other head- 
ers such as the user's Web browser and its version 
(User_agent header), if the version is very specific, then 
the use of a common version is recommended to be re- 
placed. Therefore, as mentioned in (Saint-Jean et al., 
2007), its aim is to normalize the HTTP request. Most 
of the times, this functionality is included as a part of an 
anonymous Web proxy. 

An analysis on how specific (unique) and trackable 
is your browser and the bits of information can be ob- 
tained is shown in (Eckersley, 2010; Electronic Frontier 
Foundation, 201 1). This information is based on the fol- 
lowing values: user agent and HTTP .ACCEPT head- 
ers, browser plugin details, time zone, screen size and 
color depth, systems fonts, if the cookies are enabled or 
not, and a test to determine if supercookie is limited. A 
cookie is named as supercookie when the domain is a 
public suffix domain (e.g., .org, .com, .co.uk, etc). 

3.2.3. Simple anonymous Web proxy 
An anonymous Web proxy (also known as an 
anonymizer) acts as a TCP proxy and removes headers 
with user's information (or fake them), conceals user's 
IP address (Shubina and Smith, 2003) and rewrites 
HTML pages so that when the user clicks on a link on 
that page, the request is made through the proxy. In 
general, it also manages cookies on behalf the user. Ad- 
ditionally, some of them also remove active contents 
(Javascripts, banners, advertisements, etc) and other 
embedded objects from the HTML. However, this issue 
will be covered later in the next layer. 

In this level we will suppose that the filtering of active 
content is not performed or the proxy does not support 
this feature. 

In order to distinguish the features offered by an 
anonymous Web proxy in this level and with another 
with more advanced features for the following level, we 
will name them as simple anonymous Web proxy and 
(Advanced) anonymous Web proxy. In this section, we 
analyse the former. The latter is analyses subsequently 
in Section 3.3.2. 

A simple anonymous Web proxy in user's local com- 
puter can remove some HTTP headers (as an HTTP fil- 
ter) and can manage cookies on behalf the user but, at 
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the end, the request comes from the same IP address and 
therefore, the IP address of the user can be identified. 

If the proxy is in a third party, the IP address of the 
user cannot be identified. Even though, if no additional 
protection measures are taken, the user can be traced 
whether the user's traffic is traced (even it is protected 
with SSL/TLS) (Gabber et al., 1999; Danezis and Diaz, 
2008; Edman and Yener, 2009; Li et al., 201 1). But even 
though, the user's identity may be revealed if all com- 
munications to and from the proxy are traced. Further- 
more, this solution does not prevent that both the Web 
proxy and the user's Internet Service Provider (ISP) 
trace all her Web activities (Margasihski and Szczypi- 
orski, 2003, 2005). Neither the ISP nor an eveasdropper 
could obtain information on the connection if user uses 
SSL/TLS to connect to the Web of the anonymous Web 
proxy. 

Its advantages are the high efficiency they can of- 
fer, easy to access and to use, simplicity and do not 
require additional elements (Margasihski and Szczyp- 
iorski, 2005; Edman and Yener, 2009). 

The main disadvantage is that a simple anonymizer 
does not protect against traffic analysis even though a 
SSL/TLS connection is being used (Hintz, 2002; Sun 
et al., 2002; Margasihski and Szczypiorski, 2003; Bis- 
sias et al., 2005; Margasihski and Szczypiorski, 2005; 
Liberatore and Levine, 2006; Danezis and Clayton, 
2007). It does not batch and reorder messages either 
(Edman and Yener, 2009). If the proxy only covers 
headers and the additional objects that are embedded in 
the HTML are not processed, then the user's privacy can 
be compromised (Margasihski and Szczypiorski, 2003) 
by means of the information provided in the application 
level. 

3.2.4. Private browsing mode 

The private browsing mode is a feature that have been 
included recently in Web browsers. In Mozilla Firefox 
and Safari is named Private Browsing, in Microsoft In- 
ternet Explorer InPrivate and in Google Chrome Incog- 
nito. This mode of navigation aims not to leave trace 
on the user's computers on the Web sites she has visited 
and hides the identity of user from the Web sites she 
visits (Aggarwal et al., 2010). 

Basically, private browsing mode is based on not to 
store some information after the private navigation ses- 
sion has finished and not make it available in the public 
mode of navegation as well as it is responsible for dis- 
abling toolbars and extensions since they can compro- 
mise user's privacy. 

Mainly, the information considered is the browser 
navegation history, the cookies of the session, password 



database, cache of the Web browser, client's certificates. 
However, how this mode is implemented depends on the 
browser (Aggarwal et al., 2010). Thus, this solution can 
be basically used to limit the effect on the use of cook- 
ies and the information that can be obtained with active 
components, e.g., it can prevent the access to history by 
means of Javascript (more details are provided in the 
next layer). 

3.2.5. Do Not Track 

Do Not Track (DNT) (Mayer et al., 2011) is a recent 
technology that aims to improve user's control on the 
PII is released to third party entities when user accesses 
to a Web site. Namely, with this proposal the user when 
accesses to a Web site she indicates that she does not 
want to be tracked by third parties (including behavioral 
advertising). This is indication is made by means a new 
HTTP header (DNT) that the user's Web browser sends 
to the Web site. 

The support of this technology is not mandatory by 
Web sites and it needs to be accompanied with some 
legislation that requires (enforces) its compliance. 

Currently, DNT has been submitted as an Internet- 
Draft to the IETF (Mayer et al., 2011) in order to be- 
come an standard. As it is a recent technology almost is 
not supported by most Web sites. The DoNotTrack.Us 
Web site (Mayer and Narayanan, 2011) allows us to 
check whether our browser supports this extension and 
whether it is enabled. 

3.3. Privacy solutions for application layer 
In this level the elements that can compromise user's 
privacy are the elements that can be embedded in a 
Web page through HTML tags or as objects such as 
Web bugs, banners, advertisements, JavaScript, Ac- 
tiveX, Java and other posible plugins (Silverligth, etc) 
since they can be used to send PII to the Web server 
or to fingerprint user's machine and, therefore, identify 
user (Saint- Jean et al., 2007). 

The use of Web search engines can also compromise 
user's privacy since Web search engines can profile user 
in function of the queries the user makes (Saint-Jean 
et al., 2007). 

In general, the solution to these problems introduced 
by Web objects is to disable or block them at Web 
browser (Eckersley, 2010). Thus, these elements will be 
not loaded, executed and displayed when the user loads 
a Web page and how they will not be executed they will 
not cause any PII leakage. However, this is not suitable 
since it causes usability problems. For these elements 
different solutions have been proposed and we mention 
them next. 
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In order to avoid privacy risks produced by Web bugs 
the solution is to analyse the content of the HTML page 
received in an HTTP request with the aim of filtering 
the request of very slow size images (7 pixels or less) 
different from the Web server where the user made the 
request. This task can be performed by a HTML filter 
or an advanced anonymous Web proxy. 

There are several proposals in order to detect a Web 
bug (Alsaid and Martin, 2003; Martin et al., 2003; Fon- 
seca et al., 2005; Ragkhitwetsagul, 2007; Yamada et al., 
2010, 2011; Baviskar and Thilagam, 2011). These pro- 
posals take into account the image domain, the size of 
the image, if the image has a third-party cookie, if the 
URL of the image contains more than a protocol, the 
length of the image URL and link analysis. Even the 
use of blacklists has been proposed. However, this later 
mechanism is not suitable since they are generated by 
Web crawlers or by volunteers (Yamada et al., 2010, 
2011). A complementary solution of backlists based 
on temporal link analysis is proposed in (Yamada et al., 
201 1). This task can be performed by a HTML filter or 
an advanced anonymous Web proxy. 

As for JavaScript several techniques have been pro- 
posed (Nentwich et al., 2007; Yu et al., 2007; Jim 
et al., 2007; Dhawan and Ganapathy, 2009; Chudnov 
and Naumann, 2010; Jang et al., 2010) such as solu- 
tions based on client-side or server-side to prevent his- 
tory sniffing, disable unknown scripts, signed scripts, 
program instrumentation and dynamic taint propagation 
and checking. Some of these solutions can be imple- 
mented in proxies and other requires the modification 
of Web browser source code. 

In order to prevent Web search engines can profile 
user, she can use private Web search tools. 

Next, we provide a description of the different solu- 
tions that help in providing privacy at application layer. 

3.3.1. HTML filter 

An HTML filter is in charge of removing any Web ob- 
ject (JavaScripts, Flash, Java applets, ActiveXs, pop- 
ups, etc) that can provide user's PII at the same time 
that it carries out only one HTTP GET request per Web 
access (Aggarwal et al., 2010). 

Depending on the filter, different options could be of- 
fered: remove all Web objects of a particular kind, only 
for specific Webs, etc. This functionality is also incor- 
porated by some anonymous Web proxies. 

In general, the blocking of all Web objects can also be 
configured by means of the configuration options of the 
Web browser. However, it can cause usability problems 
if user wants different kind of accesses. 



3.3.2. Advanced anonymous Web proxy 

In this section we include the simple anonymous Web 
proxies that satisfy the features mentioned in Sec- 
tion 3.2.3 (that is, filtering HTTP headers and cookies) 
as well as those that incorporate the HTML filter fea- 
ture, we have just mentioned in the previous section. 
Thus, when the advanced anonymous Web proxy re- 
ceives the Web page requested by the user from the Web 
server, it parses it and removes any Web object that can 
compromise user's privacy (Margasihski and Szczypi- 
orski, 2005; Saint-Jean et al., 2007). 

As for advantages and disadvantages of these sys- 
tems, we can mention that they share the same features 
as simple anonymous Web proxy (Section 3.2.3) and 
improve their features avoiding privacy compromise by 
Web objects. Even though, as already explained, the 
user could be identified by means of traffic analysis. 

3.3.3. Private Web search tools 

A private Web search tool aims to prevent that a Web 
search engine such as Google, Bing, etc can build a pro- 
file of the user from the queries she makes. 

There are two kind of private Web search tools: Pri- 
vate Web search engines and Private Web search plug- 
ins. The former are Web search engines that act as a 
proxy between the user and a well-known search en- 
gine. These private Web search engines delete the cook- 
ies that Web search engines uses to track the user as 
well as the identifier assigned to each user. The latter 
are tools that implement some tool to prevent the query 
the user makes to the Web search engine cannot be pro- 
filed. In general, this kind of solutions are based on the 
obfuscation of the real query between other queries that 
are randomly genarated. 

3.4. Tools 

In this section we present the main tools that are freely 
available to cope with privacy issues and that develop 
some of the solutions mentioned in the previous sections 
(Sections 3.1 to 3.3). 

For each tool analysed we provide a brief description 
with its features, the different solutions that implements 
and whether it should be complemented or not with the 
use of other tools that cover privacy in the different lev- 
els already presented. 

3.4.1. Multiproxy 

Multiproxy (Multiproxy, 2001) is a tool that is installed 
in user's computer acting as a TCP proxy. Each time 
Multiproxy receives a request, it redirects it to a differ- 
ent proxy server from a list of proxy servers. 
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This solution conceals user's IP address using differ- 
ent proxy servers (the choice of the server is in function 
of its speed). Thus, the access is more reliable (your 
Web request does not depend on a single server that 
could fail). At the same time, it is more difficult for 
a Web site to determine the IP address. Furthermore, in 
order to track the user, an attacker has to eavesdrop to 
more proxies. However, this solution has the problems 
already introduced in Section 3.1. Thus, the user could 
be identified by using information at HTTP and appli- 
cation layers. Moreover, the ISP could analyse user's 
requests and behaviour. 

The proxy servers to be used with this tool can be 
obtained from one of the numerous public list avail- 
able on the Web. Some list can be found in (Rosinstru- 
ment.com, 2011; PublicProxyServers.com, 2011; My- 
Proxy, 2011). This proxy servers can be also used to 
configure our Web browser with a proxy. 

3.4.2. CGIproxy 

CGIproxy (Marshall, 2008) is a CGI proxy written in 
Perl. Therefore, it could be executed in different plat- 
forms. 

This proxy supports the filtering of HTTP headers, 
management of cookies and the removing of Web ob- 
jects. It allows the Web administrator to configure an 
important number of options related to these issues. 
Thus, we could configure an advanced Web anonymous 
proxy (see Section 3.3.2). Although this solution cov- 
ers several levels, user privacy can be compromised by 
means of traffic analysis. 

3.4.3. Privoxy 

Privoxy (Privoxy, 2010) is a non-caching filtering proxy 
that supports both IPv4 and IPv6 and incorporates filter- 
ing capabilities. Furthermore, Privoxy supports SOCKS 
protocol, the filtering of HTTP headers, the manage- 
ment of cookies and it removes Web objects (Web bugs, 
banners, advertisments, Javascript, etc) that can com- 
promise user's privacy. Therefore, it can behave as an 
advanced anonymous Web proxy, which does not pre- 
vent traffic analysis attacks. 

3.4.4. Polipo 

Polipo is a caching Web proxy (Chroboczek, 2010) that 
supports HTTP/1 . 1 both for IPv4 and IPv6. It stands out 
because of its support of HTTP/1 . 1 pipelining as well 
as Poor Man's Multiplexing to reduce communication 
latency. 

Due to the fact that it supports the SOCKS protocol 
is being used with the Tor anonymizing network. In 



fact, its use is recommended with the Tor browser bun- 
dle (which will be explained below) in order to improve 
Tor's communication latency. Furthermore, it supports 
the filtering of HTTP headers and cookies as well as 
blocking of Web bugs or advertisments by blocking or 
redirecting URLs (content filtering). 

Both Privoxy and Polipo can be used together with 
Tor bundle, although it seems that Polipo is better for 
this use due to its support of pipelining (TOR FAQ, 
2011). Furthermore, there are some Graphical User In- 
terfaces (GUI) for this tool: Solipo (Solipo, 2010), for 
Windows and Dolipo (Dolipo, 2008), for MAC OS X. 

3.4.5. Tor 

Tor (The Tor project, Inc, 201 la) is the implementation 
of the solution presented in Section 3.1.1. This tool, as 
is, is only to be used by expert users. To end users it 
is recommended to use, at least, Vidalia or Tor browser 
bundles. 

Vidalia is a GUI to control Tor, that is, it allows users 
to decide when they want to be connected/disconnected 
to the Tor network, see the bandwidth used, the active 
circuits, Tor's current state and configure a Tor client, 
bridge or relay. The Tor browser bundle is commented 
below. 

With Tor, even with the use of Vidalia (The Tor 
project, Inc, 201 Id), we can only achieve privacy at 
TCP/IP layer. However, privacy can be compromised 
using elements of HTTP and application layers since if 
we have only installed Tor, the Web browser connects 
directly, by means of SOCKS to the Tor network. This 
is the reason why Tor recommends the use of a proxy 
such as Polipo or Privoxy. In fact, as we will see below, 
the Tor browser bundle incorporates Polipo. This Web 
proxy behaves as an advanced anonymous Web proxy, 
which also handles elements of the other levels. 

3.4.6. Torbutton 

Torbutton (The Tor project, Inc, 201 lc) is an add-on for 
Mozilla Firefox to work together Tor (it has to be previ- 
ously installed). This tool allows enabling and disabling 
Tor with only one click in Firefox and it disables Web 
objects and active content (such as Javascript, Flash ob- 
jects, etc) that can be incorporated in Web pages. Fur- 
thermore, it supports the configuration of other features 
that can compromise user's privacy such as disabling 
search suggestions from Google, blocking the indica- 
tion whether some links have been visited, prevention 
of storing history of visited URLs and password forms, 
blocking disk and memory cache, management of cook- 
ies, management of headers related to the language so 
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that it appears as an English browser and prevention of 
sending the Referer header. 

Hence, this tool (with Tor) could provide anonymous 
Web browsing considering all the privacy concerns pre- 
sented in the different levels. However, this combination 
has a flaw: the DNS requests that the browser performs 
are not made through the Tor network, they are made 
via the user's computer. Thus, an attacker by means of 
DNS traffic analysis can know the names (and its do- 
main) the user is visiting throught Tor network. For this 
reason, the use of Polipo or Privoxy is recommended. 
Indeed, Polipo is included in the Tor browser bundle as 
we explain in next section. 

The usability of this tool has been studied in (Clark 
et al., 2007), where it is concluded that this tool is easy 
to configure, install and use as long as Privoxy/Polipo 
is used. They also mention that with this tool, to enable 
and disable Tor is more intuitive. In the event Privoxy 
is not used, it requires some improvements as for the 
configuration steps. In this study they also mention that 
it provides a better interface than FoxyProxy, which is 
commented next. 

3.4.7. FoxyProxy 

FoxyProxy (Jung, 2011) is an add-on for Mozilla Fire- 
fox (it will be soon for Google Chrome and Microsoft 
Internet Explorer), which allows the definition of the 
proxy to use in function of the URL patterns chosen by 
the user. 

Clark et al. (2007) mention that to enable and dis- 
able Tor is more intuitive with this tool than with Tor- 
button. Furthermore, we can indicate easily that all the 
traffic goes through Tor, which solves the DNS problem 
mentioned with Torbutton. However, FoxyProxy does 
not provide any functionality related to the solutions 
mentioned for HTTP and applications layers. Thus, if 
FoxyProxy is combined with Tor we obtain privacy at 
TCP/IP level but not for the other levels. In order to ob- 
tain more privacy we should combine it with Polipo or 
Privoxy. 

3.4.8. UnPlug 

UnPlug (Dbatley, 2011) is an extension to download 
Flash videos. The main feature of this tool is that the 
video is downloaded in user's computer before playing 
it. Thus, it avoids the activation of Flash in the Web 
browser and, at the same time, it improves performance 
since additional reproductions do not require a connec- 
tion to the Web server. Hence, this solution helps pre- 
venting some problem at the application layer, particu- 
larly, as for active content in Flash. 



3.4.9. Plugin customs 

Plugin customs (Startingpage, 2011) is an extension for 
Safari that allows the blocking of different plug-ins such 
as Flash, Silverlight, Java, etc. It is important to point 
out that it supports the customization on the Web sites 
of the plug-in can be used to show specific resources. 
Thus, this application works at application level with 
active objects. 

3.4.10. Tor browser bundle/Vidalia bundle 

The Tor browser bundle (The Tor project, Inc, 2011b) 
contains Tor, Vidalia, Polipo and Mozilla Firefox 
Portable (a modified version of Mozilla Firefox to make 
it portable and that does not leave personal information 
in your computer) with Torbutton installed (see Sec- 
tion 3.4.6). 

The Vidalia bundle is practically the same as Tor 
browser bundle except Mozilla Firefox is not contained 
in the bundle and the user needs to have installed it pre- 
viously. 

Tor browser bundle is the recommended option for 
end users since it installs a set of components that are 
needed for protecting privacy of Web communications. 
This bundle provides protection against almost all the 
privacy concerns presented in the three layers. Thus, 
the user has a comprehensive solution for her private 
navigation. 

The privacy risks associated to this solution are 
mainly those described when we introduced Tor net- 
work (see Section 3.1.1) and those derived of using a 
Web search engine without a private Web search tool. 

The usability of this tool has been analysed in (Clark 
et al., 2007; Abou-Tair et al., 2009; Schomburg, 2009) 
and the authors of these works conclude that the tools 
provided with the bundle are easy to use, although some 
issues in the installation and configuration should be im- 
proved (mainly for facilitating its use for novice users). 
As mentioned by Edman and Yener (2009), this bundle 
might have contributed to popularity of Tor. 

Currently, Tor network is the largest anonymity net- 
work (with 10387 servers) and the most used (Li et al., 
2011). 

Furthermore, the performance of this network has 
been studied in (Wendolsky et al., 2007; Panchenko 
et al., 2008; Abou-Tair et al., 2009; Loesing et al., 2008; 
Lenhard et al., 2009; Fabian et al., 2010). 

Fabian et al. (2010) and Panchenko et al. (2008) men- 
tion that the latency should be reduced so that the adop- 
tion of Tor network service by new users increases. As 
mentioned in (Kpsell, 2006), performance is important 
for users who are willing to use the system. 
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Wendolsky et al. (2007) have compared Tor with JAP. 
As conclusion, they mention that performance of Tor is 
similar to JAP, but they also mention that the perfor- 
mance is unpredictable but the bandwith and user tol- 
erance for latency are better than in JAP. Furthermore, 
they conclude that this performance is good enough for 
Web surfing and downloads. 

Compared with the other solutions for the TCP/IP 
layer (including I2P), this is the network that pro- 
vide a better average bandwith (Abou-Tair et al., 2009; 
Schomburg, 2009). 

Loesing et al. (2008) and Lenhard et al. (2009) stud- 
ied the performance in hidden services. From these 
works we can point out that Lenhard et al. (2009) have 
found that the performance was worse than expected 
in low-bandwith networks (they identified mainly two 
problems: the download of relay descriptions in boot- 
strapping phase and the building or extension of virtual 
circuits when accessing to the hidden services) and they 
have proposed several solutions to improve it. 

3.4.11. JAP/JonDo 

Java Anon Proxy (JAP) - JonDo is the name of the com- 
mercial version - is an anonymous proxy that connects 
to a set of servers established as a cascade of Mixes 
(JonDonym). 

JAP is the latest release (it is the client software) of 
the solution explained in Section 3.1.2 (Web MTXes) 
and developed in the AN.ON project (AN.ON Project, 
2011) (JonDonym in the name used in the commercial 
version of the software). Although the project has the 
commercial version, we have decided to include it in 
this analysis because the software is free and some cas- 
cades can still be used freely. 

This solution offers privacy at TCP/IP layer but it 
does not consider HTTP layer or application layer. 
Therefore, we should use it in combination with other 
tools. Some of these tools have also been developed in 
the AN.ON project, such as the JonDoFox browser. 

The JonDonym's Web portal is also interesting be- 
cause it contains an anoymity test (JonDonym, 2011a) 
that can inform a user on the different risks that her Web 
browser system is exposed when you are accessing to 
the Web. Furthermore, it provides you with some ad- 
vice in order to solve your privacy flaws. 

Currently, JonDo network is the smallest anonymity 
network (with 1 1 servers) and the least used (Li et al., 
2011). In (Federrath, 2005) we can find some re- 
sults about the use of this network (mainly for access- 
ing to entertainment content such erotic, private home- 
pages, games and services such as search engines, stock 
quotes, etc), regions of use (mainly Europe and Asia) 



and misuse (from law enforcement agencies and private 
complaints). 

The usability of this tool has been analysed in (Abou- 
Tair et al., 2009) and they conclude that this tool is 
easy to use, although the distintion between JAP and 
JonDo should be clarified to avoid user's confusion. 
This tool has an interesting feature: it incorporates a vi- 
sual anonymity meter that provides the user some infor- 
mation on her level of protection (Berthold et al., 2001; 
Clark et al., 2007). As for usability criteria (Abou-Tair 
et al., 2009), this tool has obtained better results than 
Tor and I2P. 

With respect to performance, Wendolsky et al. (2007) 
mention that JAP with Jondonyms cascades is similar to 
Tor. They also conclude that the latency is less than 
in Tor and the quality of service that is perceived by 
users is more consistent than Tor. On the other hand, 
the throughout and user tolerance for latency are better 
in Tor than in JAP, but JAP is better than I2P (Abou-Tair 
et al., 2009). 

3.4.12. JonDoFox 

JonDoFox (JonDonym, 2011b) is a profile for Mozila 
Firefox that is optimized for secure anonymous surfing. 
It can be installed from the scratch (based on Mozilla 
Firefox portable) or on your own Firefox. This modi- 
fied Web browser allows users to choose the proxy to be 
used (none, JAP/JonDo, Tor or a customized proxy) as 
well as it provides protection against of PII leakage. 

JonDoFox can manage the following features related 
to the HTTP layer: referrer, user-agent, tools for cookies 
management (Cookie Monster - see Section 3.4.16). It 
also behaves as a Web browser with private browsing 
mode since it erases Web searches just after they are 
submitted, it also erases history periodically and offers 
protection against attacks to the cache in order to obtain 
cache cookies or Web pages previously visited. 

At the application layer it allows the control of 
JavaScripts (initially they are disabled and you can in- 
dicate, for a particular provider, if you consider it as 
untrusted or if you grant them permanent or temporal 
permissions), Flash and plugins (in a similar way as 
JavaScript they are initially blocked and you can grant 
them some permissions). In this level it also supports 
the filter of advertisements. 

JonDoFox combined with JAP/JonDo or Tor provides 
a comprehensive solution that covers all layers (TCP/IP, 
HTTP and application). 

3.4.13. I2P 

I2P (I2P, 2011) is the implementation of the solution 
presented in Section 3.1.3. This tool offers a way to se- 
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curely communicate network applications such as Web, 
mail, peer-to-peer, IRC chat, etc. It provides a graphical 
interface although it can also be used in command line 
mode, which is not recommended for novice users. 

When the tool is installed, it does not offer any tool 
to users so that they can make their Web traffic to go 
through I2P network. The user has to configure manu- 
ally the use of a proxy, an HTTP outproxy so that the IP 
address of the user is concealed. 

The usability of this tool has been analysed in (Abou- 
Tair et al., 2009) and the authors conclude that this tool 
need to be improved in order to be used by novice users 
since its use requires technical knowledge for the instal- 
lation and configuration processes. 

As for usability criteria (Abou-Tair et al., 2009), this 
tool has obtained worse results than Tor and JAP/Jondo, 
which are more mature tools with a long way in this 
field. 

Currently, this network is the second largest 
anonymity network (with 483 servers) after Tor (Li 
etal., 2011). 

With respect to performance, (Abou-Tair et al., 2009) 
we can mention that I2P's average bandwith is worse 
than Tor and JAP. 

As this tool only covers TCP/IP level, we should 
combine it with tools that offer protection in the other 
levels. 

3.4.14. Firebug with Firecookie 

Firebug (Hewitt et al., 2011a) is an add-on for Mozilla 
Firefox and Google Chrome that allows us to perform 
Web development tasks - for other Web browsers we 
can make use of Firebug Lite (Hewitt et al., 201 lb) -. 

We have included this tool since with it we can con- 
trol all the information that is sent and received by our 
Web browser (HTTP request and responses, HTML, 
CSS, Javascript, etc). Furthermore, we can install an 
add-on for this tool named Firecookie in order to con- 
trol cookies. 

Firecookie (Odvarko, 2011) supports to inspect the 
cookies we receive, create them, remove them as well 
as to define permissions (if they are enabled or not, ac- 
cept/deny cookies from a Web site, edit them, remove 
them, etc). Therefore, this tool only covers some lim- 
ited protection at HTTP layer. 

3.4.15. Cookies Manage r+ 

Cookies Manager + (V@no, 2011) is an add-on for the 
Mozilla Firefox, which allows a more advanced control 
of cookies than the Web browser provides. Namely, this 
tool allows us to view them (their values, when they 
were created and accessed) classified by domains, to 



edit and modify them, clear (all of) them, allow/block 
them, backup and restore them, even to add a cookie for 
a domain. Therefore, this tool only covers some limited 
protection at HTTP layer. 

3.4.16. Cookie Monster 

Cookie Monster (Schilling, 2011) is a Mozilla Firefox 
add-on that helps with the management of (session) 
cookies. It can show and manage first and third party 
cookies. The tool allows the acceptance, rejection and 
temporary acceptance of cookies. This management can 
be general for all Web sites or specified for specific sites. 
Therefore, this tool only offers privacy protection in a 
limited issue of HTTP layer. 

3.4.17. CookieCuller 

CookieCuller (Yamaoka, 2011) is a tool that facilitates 
the delete of non-desired cookies. With this tool we can 
establish the cookies to proctect and the rest of cook- 
ies can be deleted manually. We can also establish that 
once one cookie is deleted, this cannot be established 
again. Thus, this tool facilitates the management of spe- 
cific cookies but it offers a quite reduce functionality as 
for the cookies management for privacy issues. 

3.4. 18. Adblock Plus and AdBlock 

Adblock Plus (Palant, 2011) is an advertisement filter 
for Mozilla Firefox and Google Chrome that blocks all 
advertisements automatically. Thus, user navigation is 
faster and it can prevent some privacy issues related to 
tracking user by means of images of third party entities. 

Adblock Plus allows the definition of filters with ad- 
vanced features such as the use of regular expressions. 
This tool has received several awards (see (Palant, 
2011)). Futhermore, we can download existing filter 
lists such as Easy List (Michael, Ares2, Erunno, Khrin 
and MonztA, 201 1) or Fanboy list (Fanboy, 201 1) in or- 
der to facilitate the user the definition of filter lists that 
automatically avoid advertisements (even those that are 
placed in videos), banners and tracking. These lists can 
also be used with Microsoft Internet Explorer. Thus, 
Adblock Plus is designed to protect the user from the 
risks of the application layer as for active content as ad- 
vertisements. It should be combined with other tools for 
this level as well as some tools for the other levels. 

As Adblock Plus was not available for Google 
Chrome, AdBlock was created (Weisbein, 2011). Ad- 
Block is available for Safari (Gundlach, 2011b) and 
Google Chrome (Gundlach, 2011a). AdBlock is in- 
spired in Adblock Plus (ABP) and shares most of the 
features that ABP offers: it blocks advertisements and it 
allows the use and definition of different kind of filters. 
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Unlike ABP, AdBlock offers some new additional fea- 
tures such blocking advertisements in Flash games or 
hiding a section in a Web page. 

In order to know how good your popup blocker is 
you can use the different tests that are provided by Pop- 
upTest.com (WebAttack, Inc, 2011). 

3.4.19. ChromeBlock 

ChromeBlock (Abine, 2011a) is an extension for 
Google Chrome that blocks Web beacons, bugs, adver- 
tisers and establishes opt-out cookies. Furthermore, it 
is important to point that it supports that user can be in- 
formed and she can manage how it is tracked in each 
Web site. Thus, users can decide on how much infor- 
mation they provide on their Web behaviour. Therefore, 
this solution provides privacy at HTTP and applications 
layers. 

3.4.20. PithHelmet 

PithHelmet (Solomon, 2011) is an ad blocker plug-in 
for Safari. Hence, it can block ad images and Flash. 
With this tool is possible to configure both the ad block- 
ing level and the cookie privacy level. Furthermore, 
it supports the specification of rules (based on Perl- 
Compatible Regular Expressions) that define the con- 
tent to be blocked as well as blocking images/cookies 
from specific Web sites. Therefore, this solution is used 
to provide privacy at HTTP and applications layers. 

3.4.21. NoScript 

NoScript (Maone, 2011) is a tool for blocking active 
content such as Java, JavaScript, Flash, Silverlight, Web 
bugs, plugins, etc. 

The active content is blocked by default. However, 
the tool offers the possibility of defining trusted Web 
sites as well as you can decide that the scripts of a Web 
site can be executed temporarily or permanently. It also 
support the Do Not Track (see Section 3.2.5). Thus, it 
covers some solutions of HTTP layer (Do Not Track) 
and application layer (being a HTML filter). 

3.4.22. JavaScript blacklist 

JavaScript blacklist (Thaler, 2011) is an extension 
which can block Javascript from a list of domains that 
can be configured. Thus, this tool only offers protection 
at application level. 

3.4.23. Ghostery 

Ghostery (Cancel and Shnir, 2011) is a tool that detects 
and blocks Web bugs, scripts and trackers (ad networks, 
behavioral data providers, Web publishers, etc). It also 



allows the user to know the information each Web site 
gathers and the privacy policy that follows. 

An interesting option of Ghostery is the possiblity of 
informing on the companies that track information on 
users. This information will be stored in a server that 
can be used for the tool in order to improve progres- 
sively the control of the trackers. Thus, this tool helps 
in improving privacy at application level. 

3.4.24. BetterPrivacy 

BetterPrivacy (Yardley, 2011) protects against Flash 
cookies (Local Shared Object - LSO). This add-on for 
Mozilla Firefox erases Flash cookies on the exit of the 
Web browser. It also allows the visualization and man- 
agement of this kind of cookies. We can also protect 
those that we are interesting in. Futhermore, it offers 
different options for configuring the erase of these cook- 
ies: time, on exit, on application start, etc. Therefore, 
this solution offers some protection as for application 
layer. 

3.4.25. OptimizeGoogle 

OptimizeGoogle (OptimizeGoogle, 2011) is an add-on 
for Mozilla Firefox which purpose is to optimize the re- 
sults that Google returns when a query is made. Further- 
more, it removes annoying content and protect user's 
privacy. Namely, this tool blocks Google Analytics 
cookies, removes advertisements and click tracking and 
anonymizes user's Google identifier. Therefore, this 
tool contributes in the protection of user's privacy at ap- 
plication level but it is limited to Google and it would 
be useful to be used with other search engines as Ya- 
hoo, Bing, etc. 

3.4.26. TrackMeNot 

TrackMeNot (Howe and Nissenbaum, 2009; Howe 
et al., 2011) is a Web browser add-on that aims to pre- 
vent that Web search engines can create a user profile 
from the Web searches the user makes. To achieve this 
goal this tool uses obfuscation techniques by issuing pe- 
riodically search queries generated randomly. Hence, 
the real user queries are mixed in a crowd of other 
queries, which makes more difficult the creation of user 
profiles. This queries can be sent through different Web 
search engines such as Google, Bing, AOL, Yahoo!, etc. 
Therefore, this solution contributes to protect user pri- 
vacy at application layer for Web search engines. 

3.4.27. Starting page 

Starting page (Abine, 2011b) is a private Web search 
engine that uses Google to make queries at the same 
time they protect your privacy. 
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This engine does not create a log with your IP ad- 
dress and it does not either use tracking cookies. These 
facts have been certified with the European Privacy seal 
(EuroPriSe, 201 1) and by Certified Secure. 

This Web search engine also offers the possibility of 
using SSL/TLS for the HTTP connection. Furthermore, 
it also provides plug -ins for the main Web browsers. 
Therefore, this Web search engine allows users to pro- 
tect privacy at application level for Web search queries. 

3.4.28. Scroogle 

Scroogle (Scroogle, 2011) is a private Web search en- 
gine based on Google that avoids that Google can track 
user by means of cookies or user's IP address. Further- 
more, logs are deleted after 48 hours. 

User Web search queries can be sent to Scroogle by 
using SSL/TLS. When this search engine receives user's 
query, it chooses randomly an IP address between seven 
hundred possible addresses and this chosen address is 
used to send the request to Google. The cookie that 
Google establishes when the results to the query are pro- 
vided is deleted. These results are provided to the user 
and Scroogle deletes them after an hour. Thus, this Web 
search engine allows user to protect privacy at applica- 
tion level for Web search queries. 

4. Comparison and discussion 

In this section we perform a comparison between the 
different solutions that the tools analysed previously 
provide. 

For each tool we compare different features such as: 
OS supported, type of license, latest release (month and 
year) and which layers the tool covers as for privacy. 

We also compare the different privacy protection fea- 
tures that each browser offers as well as the different 
extension/plug-ins/add-ons that can be incorporated to 
them in order to improve these features. 

This information is shown by means of different ta- 
bles. Hence, firstly, we compare the different tools from 
its current state, that is, which OS support, the type of li- 
cense under the software is distributed and, finaly, when 
the latest version of the tool has been released. Thus, 
users can know whether they can use it in their operat- 
ing system, the conditions of the license and whether the 
tool is updated. This information in shown in Table 1 . 

As we can see in that table, we have included the 
main Web browsers -see report from StatCounter (Stat- 
Counter, 201 1) and Chikita Insights (Cavanagh, 201 1)-. 
We have included them since although they are not a pri- 
vacy tool, they are used to browse Web pages and they 



contain some elements (configuration options) that help 
in providing a better privacy when users are surfing on 
the Internet. 

In Table 1 we can also see that except for Multiproxy 
that is only available for Windows, the rest of tools are 
available for the main current OS (Linux, Windows and 
Mac OS). This is also due to the fact that most of the 
tools are extensions to Web browsers, thus, if the Web 
browser is developed for an OS, in general, the exten- 
sion automatically works for that OS. 

From Table 1 we also want to mention that although 
Microsoft Internet Explorer has a propietary license, we 
have included it since if the user has a Windows license, 
then, its download is free. 

We can also see that most of the tools covered have 
released recently (in the last six months) a version of its 
software. 

Next, in Tables 2, 3 and 4 we show the different con- 
figuration options that main Web browsers offer to end 
users in order to improve their privacy protection. 

In Table 2 we compare the different options they offer 
with respect to allow/block different Web objects (pop- 
ups, JavaScript, Java, ActiveX and Web bug). 

As we can see in Table 2, all browsers support the 
blocking of pop-ups. It is important to point out that 
only Microsoft Internet Explorer considers Web bugs, 
although with the blocking of images this problem could 
be solved in other Web browsers. However, this can 
cause usability problems to users. 

We can also mention that all of them support the 
blocking of Javascript. However, not all the Web 
browsers can block Javascript for a specific Web site. 

In Table 3 we compare how the different Web 
browsers support the management of cookies (both first 
and third party cookies) as well as Do Not Track feature. 

Related to cookies, in general, current Web browsers 
offer a wide range of options and in most of the cases 
you can perform its management in an individual level 
for each Web site (see Table 3). This is due to the fact 
that cookies management is a fundamental element to 
maintain privacy. 

Both Mozilla Firefox and Microsoft Internet Explorer 
support for prompting for cookies. This option can be 
useful for advanced users that can decide whether to ac- 
cept a cookie or not. However, this option, if enabled, 
can be disturbing since, in general, the most popular 
Web sites use more than a cookie (Yue et al., 2007, 
2010). 

The Do Not Track feature is supported by all Web 
browsers except for Google Chrome as they do not con- 
sider this approach suitable and, therefore, they have de- 
cided not support it. Instead of it, their approach is to 
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Tool 


OS 


License 


Latest Release 


Linux 


Windows 


Mac OS 


Microsoft Internet Explorer 9 


Y 


Y 


Y 


Propietary 


8/2011 


Mozilla Firefox 7 


Y 


Y 


Y 


MPL/GPL/LGPL 


9/2011 


Google Chrome 12 


Y 


Y 


Y 


BSD, Google Chrome Terms of service 


9/2011 


Safari 5 


Y 


Y 


Y 


Propietary, LGPL 


7/2011 


Multiproxy 


N 


Y 


N 


Free 


12/2008 


CGIproxy 


Y 


Y 


Y 


Free 


12/2008 


Privoxy 


Y 


Y 


Y 


GNU GPLv2 


11/2010 


Polipo 


Y 


Y 


Y 


MIT 


5/2011 


Tor 


Y 


Y 


Y 


BSD 


2/2011 


Torbutton 


Y 


Y 


Y 


BSD 


7/2011 


Foxy Proxy 


Y 


Y 


Y 


GNU GPLv2 


7/2011 


UnPlug 


Y 


Y 


Y 


Affero GPL license v3 


8/2011 


Plugin customs 


Y 


Y 


Y 


Free 


10/2010 


Tor browser bundle 


Y 


Y 


Y 


BSD 


7/2011 


JAP/JonDo 


Y 


Y 


Y 


BSD 


7/2011 


JonDoFox 


Y 


Y 


Y 


BSD 


7/2011 


I2P 


Y 


Y 


Y 


BSD 


6/2011 


Firecookie 


Y 


Y 


Y 


BSD 


8/2011 


Cookies Manager + 


Y 


Y 


Y 


Mozilla Public License, version 1 . 1 


4/2010 


Cookie Monster 


Y 


Y 


Y 


Mozilla Public License vl.l 


10/2010 


CookieCuller 


Y 


Y 


Y 


Mozilla Public License vl.l 


10/2010 


Adblock Plus 


Y 


Y 


Y 


Mozilla Public License vl.l 


6/2011 


Adblock for Safari 


N 


Y 


Y 


GNU GPL v3 


6/2011 


Adblock for Chrome 


Y 


Y 


Y 


GNU GPL v3 


6/2011 


ChromeBlock 


Y 


Y 


Y 


Free 


7/2011 


PithHelmet 


Y 


Y 


Y 


GNU GPL v2 


6/2011 


NoScript 


Y 


Y 


Y 


GNU GPLv2 


8/2011 


JavaScript blacklist 


Y 


Y 


Y 


Free 


N/A a 


Ghostery 


Y 


Y 


Y 


GNU GPLv2 


9/2011 


BetterPrivacy 


Y 


Y 


Y 


GNU GPLv2 


8/2011 


OptimizeGoogle 


Y 


Y 


Y 


GNU GPL 


11/2010 


TrackMeNot 


Y 


Y 


Y 


Creative Commons 


7/2011 


Starting page 


Y 


Y 


Y 


Free 


_b 


Scroogle 


Y 


Y 


Y 


Free 


_b 



a Information not available 
b It is a Web site 



Table 1: Tools, OS, license and latest release 
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~~ ~~~~-__Web browser 
Option 


Mozilla 
Firefox 


Microsoft 
Internet 
Explorer 


Google 
Chrome 


Safari 


Allow/Block pop-up windows 


X 


X 


X 


X 


Allow/Block pop-up windows for specific Web sites 


X 


X 


X 


X 


Allow/Block load images automatically 


X 


X 


X 




Allow/Block load images from particular Web sites 


X 


X 


X 




Allow/Block Web bugs 




X 






Allow/Block Web bugs for particular Web sites 




X 






Allow/Block Javascript 


X 


X 


X 


X 


Allow/Block Javascript for specific Web sites 




X 


X 




Allow/Block Javascript move or resize existing windows 


X 








Block/Allow Javascript raise or lower windows 


X 








Allow/Block Javascript disable or replace context 
windows 


X 








Allow/Block ActiveX 


*a 


X 






Allow/Block Java 


sfcb 


*b 




X 


Enable/disable extensions/plug-ins/add-ons 


X 


X 


X 


X 


Enable/disable an specific extension/plug-in/add-on for 
private browsing mode 






X 




Automatically block tracking content (scripts, images, 
ads) 




X 







a Mozilla Firefox does not support ActiveX 

b By default it does not support Java and it has to be included as an extension. Thus, it is disabled as an extension. 



Table 2: Comparison of Web browsers as for Web objects management 



~~ ~~~~___Web browser 
Option 


Mozilla 
Firefox 


Microsoft 

Internet 

Explorer 


Google 
Chrome 


Safari 


Accept/block first-party cookies 


X 


X 


X 


X 


Accept/block first-party cookies from particular Web sites 


X 


X 


X 




Accept/block third-party cookies 


X 


X 




X 


Accept/block third-party cookies from particular Web sites 


X 


X 


X 




Prompt first-party cookies 


X 


X 






Prompt third-party cookies 


X 


X 






Always allows session cookies 




X 






Delete all cookies stored 


X 


X 


X 


X 


Delete stored specific cookies 


X 




X 


X 


Do Not Track 


X 


X 







Table 3: Comparison of Web browsers as for cookie management and Do Not Track 
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support opt-out cookies. 

In Table 4 we present the results of the comparison 
between the different Web browsers as for management 
of history, passwords, private browsing mode, geoloca- 
tion and the choice of the language to show Web pages. 
These are additional elements that can reveal user's PII 
to both a local attacker and Web attacker Aggarwal et al. 
(2010). 

All the Web browsers support private browsing mode 
since they are conscious that privacy is an important fea- 
ture for users. However, it is important to point out 
that there are differences between the diverse ways of 
implementing private browsing mode as mentioned in 
(Aggarwal et al., 2010). Apart from this feature that, in 
general, controls cookies, history and plug-ins so that 
they do not share information between different ses- 
sions in the browser and they delete PII once the ses- 
sion has finished. Private browsing mode in these Web 
browsers also allows the customization of how to man- 
age the elements previously mentioned as we have seen 
in the previous tables. Furthermore, the management of 
these options can be improved with the tools mentioned 
throughout Section 3.2 and that are shown in Tables 5 
and 6. 

In Table 4 it is important to point out the capability 
of users to configure the Web browser to block those 
Web sites that are being notified as Web site forgeries 
or reported attack sites. This is specially useful for end 
users since they can know dangerous sites without being 
experts and help them in to decide which Web sites to 
trust in. 

It is also worth to mention geolocation option since 
nowadays many Web sites use the geolocation API (Ap- 
plication Programming Interface) for obtaining user's 
location (this can be used to create user's profiles). 
However, with the possibility of enabling or disabling 
this option users can be aware of the Web sites that re- 
quest their location and they can decide whether they 
provide their location. 

Finally, in Table 4 we can see that, except Safari, all 
of them allow the choice of the language. Thus, if we 
configure that our chosen language is English we will 
difficult locate the user, fingerprinting our Web browser 
and, therefore, the creation of user's profiles. 

As we can see in Tables 2, 3 and 4, Web browsers 
also allow the user can control how to manage cookies, 
history, passwords and establish exceptions for each of 
these elements both in private browsing mode and in 
public mode. The capability of being able to define 
exceptions allows users to establish a better control of 
the Web sites they want filter and mantain private at the 
same time they maintain usability in navigation. 



These tables also show that the Web browsers that al- 
low a better control on the different elements that could 
cause a leakage of PII are Mozilla Firefox and Microsoft 
Internet Explorer, followed by Google Chrome and Sa- 
fari. 

In Table 5 we show the different tools and how these 
are available for the different Web browsers. In this 
table we can see that most of free tools are available 
for Mozilla Firefox. We can also point out that only a 
few of them are available for all the Web browsers anal- 
ysed: Firecookie, Ghostery and private browsing mode. 
Apart from these tools, we can mention Starting page 
and Scroogle because they are Web sites. We have not 
included Tor, JAP/Jondo, I2P, Multiproxy, CGIproxy, 
Privoxy and Polipo because they are tools that are in- 
dependent of the Web browser to use. 

From the different tools analysed and freely avail- 
able we can mention that the largest group is devoted 
to cookies management, followed by those that are for 
proxies, pop-ups and Web bugs. On the other hand, the 
features that are less covered are: Do Not Track and pri- 
vate Web search. 

As for private Web search we can also mention that, 
from the tools analysed, all support the use of Google 
as Web search engine. However, only Trackmenot al- 
lows the use of other Web search engines different from 
Google. 

We can also mention that most of the tools are cen- 
tered on protecting an specific level (TCP/IP, HTTP or 
application). The tools that cover more than one level 
are: Privoxy, Polipo, TorButton, Tor browser bundle, 
JonDoFox, PithHelmet and Optimize Google. 

In particular, the tools that cover more levels are Tor 
browser bundle, Privoxy and Polipo. Indeed, they cover 
all of them. 

In the case of Tor browser bundle, this is due to the 
fact that is a combination of several tools. Even though, 
it does not cover all the elements to protect. Namely, 
this package does not include a private Web search 
tool. This could be solved by means of the installation 
of some of the extensions mentioned for this purpose 
(TrackMeNot, OptimizeGoogle or Starting page) or by 
using some of the Web sites mentioned for this purpose 
(Starting page or Scroogle). 

In the case of Privoxy and Polipo, as for TCP/IP level, 
they do not protect the traffic eavesdropping, they only 
hide IP address if they are executed in another com- 
puter different from user's computer. These tools are 
proposed to be used in combination with Tor in order to 
avoid problems related to the other levels (mainly in the 
application layer as HTTP or HTML filter). 

We can also point out the case of JondoFox that is 
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Option ~~ — 


1VT 07illa 

ItIULIUu 

Firefox 


Microsoft 

Internet 

Explorer 


(tOopIp 

V ■ \ 1 \ 1 I V. 

Chrome 


Safari 


Remember history 


X 








Never Remember history 


X 








Delete history 


X 


X 


X 


X 


Customized remember of history 


X 








Remember/Not remember browsing history 


X 








Delete browsing history when browser closes 


X 


X 






Remember/Not remember download history 


X 








Remember/Not remember search and form history 


X 








Private Browsing mode 


X 


X 


X 


X 


Block reported attack sites 


X 


X 


X 




Block reported Web forgeries 


X 


X 


X 




Allow/Block remember passwords 


X 








Allow/Block remember passwords for particular Web sites 


X 








Management of saved passwords 


X 




X 




Enable/disable geolocation 


X 


X 




X 


Enable/disable geolocation for specific Web sites 






X 




Prompt for geolocation 






X 




Choice of the language to read Web pages 


X 


X 


X 





Table 4: Comparison of Web browsers as for management of history, passwords, private browsing mode, geolocation and language 



a tool, which covers almost all the features required for 
navigate privately on the Web except those realted to the 
TCP/IP level. JondoFox as Tor browser bundle covers 
almost of them because it is a combination of several 
tools. In order to support all the features, we can com- 
bine it with JAP/Jondo or with Tor. Thus, the TCP/IP 
level would be covered with protection against traffic 
analysis. 

Next, we discuss, for each Web browser, the different 
tools that we would need to cover all (or many of them 
as possible) the features analysed. In this analysis we 
also try to choose the combination of tools that requires 
the least number of tools within the set with the aim of 
facilitating the installation process to end users. 

In all combinations the use of Stating page is pro- 
posed. As for cookies management and pop-ups, the 
tools to choose change. We can also mention that the 
management of Flash cookies is hardly supported and 
more tools are required. 

For Mozilla Firefox the main combinations are: Jon- 
doFox and BetterPrivacy combined with JAP/JonDo or 
Tor or I2P, or Tor browser bundle and BetterPrivacy with 
Starting page/TrackMeNot plug-in. 

The former combination consists of JondoFox that 
covers HTTP and application levels. Therefore, it only 
only needs to cover TCP/IP level. For this purpose we 



can use JAP/JonDo, Tor or I2P. Furthermore, it includes 
BetterPrivacy in order to remove Flash cookies. 

The latter combination consists of Tor browser bun- 
dle that covers the three levels. However, in the 
third level it does not include a plug-in for private 
Web search. For this purpose, the use of Starting 
page/TrackMeNot plug-in is recommended. Although 
we could also configure the Web browser so that Web 
search requests go through Scroogle's CGI. Finally, in 
the same way as the previous combination, it also in- 
cludes BetterPrivacy for the control of Flash cookies. 
Thus, with these tools we can cover all the features men- 
tioned. 

For Microsoft Internet Explorer the set of tools that 
could cover most of the features of the different lev- 
els are: Tor or JAP/Jondo or I2P, Polipo, AdBlocklE, 
FoxyProxy, Ghostery and Starting page. These tools 
cover most of the privacy protection features of the three 
level. However, in this combination there is no tool that 
can remove automatically Flash cookies. 

For Google Chrome the set of tools that could cover 
most of the features of the different levels are: Tor or 
JAP/Jondo or I2P, Polipo, FoxyProxy, ChromeBlock, 
BetterPrivacy and Starting page. In this set of tools the 
support of Do Not Track is not provided. 

In Safari the set of tools chosen is: Tor or JAP/Jondo 
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Tool 


Web browser 


Mozilla Firefox 


Microsoft Internet Explorer 


Google Chrome 


Safari 


TorButton 


X 








FoxyProxy 


X 


x a 


x a 




UnPlug 


X 








Plugin customs 








X 


Firecookie 


X 


X 


X 


X 


Cookies Manager+ 


X 








Cookie Monster 


X 








CookieCuller 


X 








Adblock Plus 


X 


X 






Adblock 






X 


X 


AdblocklE 




X 






ChromeBlock 






X 




PithHelmet 








X 


NoScript 


X 








JavaScript Blacklist 








X 


Ghostery 


X 


X 


X 


X 


BetterPrivacy 


X 




X 




Private Browsing Mode 


X 


X 


X 


X 


OptimizeGoogle 


X 








TrackMeNot 


X 




X 




Starting page 


x b 


X 


x b 


X 


Scroogle 


x c 


x c 


x c 


X 



a Available soon. 

b It is a Web site, therefore it works with any Web browser. Furthermore, for this Web browser it also 
offers a plug-in. 

c It is a Web site, therefore it works with any Web browser. Furthermore, for this Web browser it also 
indicates how to customize the browser so that search queries go directly to this Web search engine. 



Table 5: Tools for Web browsers 
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or I2P, Polipo, Unplug, Plugin customs/PithHelmet, 
JavaScript Blacklist and Starting page. Although most 
of the features are coverded for the three levels, in this 
combination there is no tool that can remove automati- 
cally Flash cookies. 

From these combinations we can point out that the 
tools for mixes in TCP/IP level can be used with any 
Web browser since they are independent of the browser 
and are used through a proxy. We can also point out 
Polipo as HTTP/HTML filter. 

Finally, from out analysis, we can derive that cur- 
rently for the main Web browsers there are enough tools 
to navigate privately on the Web, although some is- 
sues related to usability and performance should be im- 
proved. 

5. Related Work 

There is an important number of proposals that have 
been designed to perform anonymous communications. 
In general, the different works and surveys that have 
analysed the state of the art of in this field do not have 
analysed all the elements that are needed to perform an 
anonymous Web communication (see the different lev- 
els to cover in Section 2.2). In general, these works have 
focused on the analysis of the solutions for some on the 
levels we introduced. Next, we mention those works 
and the different solutions they analyse. 

For the analysis of anonymous communications at 
TCP/IP level, which is the topic most analysed, there are 
several works that are a reference in the field (Rezgui 
et al., 2003; Gritzalis, 2004; Danezis and Diaz, 2008; 
Danezis et al., 2009; Edman and Yener, 2009; Danezis 
and Giirses, 2010; Ren and Wu, 2010). 

The use of cookies and different solutions has been 
mentioned in (Rezgui et al., 2003; Senicar et al., 2003; 
Linn, 2005; Yue et al., 2010; Barth, 201 1). Although an 
exhaustive comparison between different proposal has 
not been performed. 

An analysis of private browsing mode in the different 
Web browsers has been presented in (Aggarwal et al., 
2010). Namely, this paper compares how this mode 
is supported in Mozilla Firefox, Microsoft Internet Ex- 
plorer, Google Chrome and Safari. 

We can also find some works related to the usability 
of anonymity networks and tools in (Clark et al., 2007; 
Abou-Tair et al., 2009; Schomburg, 2009; Fabian et al., 
2010). In these papers we can find data on the number 
of users, countries and the main difficulties users have 
when they want to navigate privately with some of the 
tools available. 



In spite of these works, to the best of our knowledge, 
there is no work that considers all the different protec- 
tion measures that should be taken into account when a 
user is surfing on the Web. There are works that only 
cover a part of the whole problem as we have just men- 
tioned. Thus, in order to offer a comprehensive view, in 
this paper we have analysed which anonymous commu- 
nication methods have been implemented, which tools 
support them and how they can be combined in order to 
be used to surf privately on the Web. 

In our paper we have also shown the relationships be- 
tween the different risks in the different layers, e.g., if 
we provide privacy at TCP/IP level, we have seen that 
user's PII could be compromised by menas of cookies 
or Web browser fingerprinting, that is, based on the in- 
formation of the other levels. Therefore, we need to 
provide protection in the three levels. 

Apart from the risks, we have also shown how the 
different techniques and tools can be combined for min- 
imize the risks users are exposed when they are surfing 
on the Web. This have been studied and analysed for the 
main Web browsers, that is, Mozilla Firefox, Microsoft 
Internet Explorer, Google Chrome and Safari (from Ap- 
ple). 

6. Conclusions and future work 

Users are concerned for privacy when they surf on the 
Internet. Indded, increasingly Web users are realising 
of the importance that companies know information on 
their preferences, behaviour, purchase habits, etc. As 
a consequence, in the last ten years we have seen how 
scientific community has researched in this field to offer 
this kind of solutions to this problem and an important 
number of proposals have appeared in order to provide 
anonymous communications on the Internet. 

In order to navigate privately on the Web it is required 
that the development of solutions that take into account 
different levels where personally identificable informa- 
tion leakage could happen. Namely, privacy can be 
compromised using information of three different lev- 
els: TCP/IP level, HTTP level and application level. 

In this paper we have described the different risks as- 
sociated to each level, the different techniques that have 
been proposed and, from those that have been devel- 
oped, we have analysed them in order to know the dif- 
ferent advantages, disadvantages and possible attacks 
could happen. This analysis shows that privacy is a 
complex issue and that we need to combine different 
techniques for each level in order to provide a compre- 
hensive solution that do not compromise user's privacy. 
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Tool 


Level 


TCP/IP 


HTTP 


Application 


Prox 
roxy 


Mixes 


Cookies 


HTTP 
filter 


SAWP a 


PBM b 


DNT C 


Pop 
ups 


Web 
bugs 


Scripting 


Active 
Objects' 1 


AAWP e 


PWST f 


Multiproxy 


X 


























CGIproxy 


X 


























Privoxy 


x' 




X 


X 


X 






X 


X 


X 


X 


X 




Polipo 


X 1 




X 


X 


X 








X 


X 


X 


X 




Tor 




X 
























TorButton 






X 


X 




X 




X 


X 


X 


X 






Foxy Proxy 


X 


























UnPlug 






















X s 






Plugin 

customs 






















X 






Vidalia 
bundle 


X 


X 
























Tor browser 
bundle 


X 








X 


X 


X 










X 




JAP/JonDo 




X 
























JonDoFox 






X 


X 


X 


X 


X 


X 


X 


X 


X 


X 


X 


I2P 




X 
























Firecookie 






X 






















Cookies 
Manager+ 






X 






















Cookie 
Monster 






X 






















Cookie 
Culler 






X 






















Adblock 
Plus 
















X 


x 




x 






AdblockS 
















X 


X 




X 






ChromeBlock 


















X 










PithHelmet 






X 










X 


X 




x h 






NoScript 
















X 


X 


X 


X 






JavaScript 
blacklist 






















X 






Ghostery 


















X 


X 








Better 
Privacy 






















X 1 






Optimize 
Google 






X 








X 


X 










X 


TrackMeNot 


























X 


Starting 
page 


xJ 
























X 


Scroogle 


xJ 
























X 



a Simple Anonymous Web Proxy 

b Private Browsing Mode 

c Do Not Track 

d Flash, ActiveX, Java, etc 

e Advanced Anonymous Web Proxy 

e Private Web Search Tool 

f It hides IP if it executed in a host different from user's computer 
g Both AdBlock for Google Chrome and AdBlock for Safari 
h Only for Flash 
1 Only for Flash cookies 

1 From the point of view of the Web search engine they are a proxy. 

Table 6: Privacy levels covered 
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These techniques have been developed by different soft- 
ware tools. We have made an analysis on the main tools 
that are freely available, that, as we have shown, there 
are an interesting number of them. 

From the analysis made on these tools, we can point 
out that there is no single software package that facil- 
itates users navigate privately. Even though, there are 
some packages such as Tor browser bundle and Jondo- 
Fox that cover many on them and only need some ad- 
ditional tools to provide a comprehensive solution that 
protects user's PII. 

In this paper we have identified the main combina- 
tions of tools available for each Web browser in order to 
provide a comprehensive solution. This is an issue that 
should be taken into account in order to facilitate that 
users can surf privately on the Web and increase their 
usability. Thus, a suite or package that installed easily 
the different combination of tools proposed, it would fa- 
cilitate its acceptance. Currently, end user would have 
to install, at least, three software tools (it depends on the 
Web browser chosen). 

This paper also shows that Mozilla Firefox is the Web 
browser that has more tools and options to configure any 
of the different features to be covered in each level. In 
spite of the fact, for the other Web browsers also exist 
tools that could cover almost all the features required 
to surf on the Web privately. However, they require the 
installation of different tools can suppose usability prob- 
lems for end users as we have just mention. Mainly, this 
is due to the fact that this installation and configuration 
is sometimes difficult or not understable for end users. 

Therefore, this paper, thanks to the analysis made on 
the different techniques, tools and the levels to cover 
in order to protect users' privacy, provides a compre- 
hensive view to both researchers and end users on the 
privacy risks when surf on the Web and how they can 
mitigated thanks to the use of different tools that are 
available for the main Web browsers. 
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